When the Trojan is executed, it creates the following files:
- %Temp%\[RANDOM NUMBER FILE NAME ONE].exe
- %Temp%\[RANDOM NUMBER FILE NAME TWO].exe
The Trojan also creates the following registry subkeys:
The Trojan will then run one of the following Bitcoin mining programs:
- If a GPGPU-enabled graphics card is found, it runs Phoenix Miner.
- Otherwise it runs RPC Miner.
The Trojan the sends the mined Bitcoins to a predetermined location.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":